PDA

View Full Version : many redirects while browsing



healing41
2007-01-28, 02:01
Incident Status Location

Virus:trj/ldpinch.a Disinfected Operating system
Virus:trj/small.lv Disinfected Operating system
Adware:adware/nowfind Not disinfected c:\windows\system32\cidft.dll
Adware:adware/craft Not disinfected c:\windows\system32\mscnf.dll
Adware:adware/spysheriff Not disinfected c:\windows\system32\thn.dll
Adware:adware/adsmart Not disinfected c:\windows\system32\thun.dll
Adware:adware/miamore Not disinfected c:\windows\q2355046_disk.dll
Virus:trj/shellbot.a Disinfected Operating system
Adware:adware/mediatickets Not disinfected Windows Registry
Spyware:spyware/apropos Not disinfected Windows Registry
Adware:adware/transponder Not disinfected Windows Registry
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Adware:adware/wintools Not disinfected Windows Registry
Adware:Adware/DirectVideo Not disinfected C:\Program Files\DirectVideo\Uninstall.exe
Virus:Trj/DNSChanger.NY Disinfected C:\WINDOWS\system32\kdrbc.exe

healing41
2007-01-28, 02:02
Logfile of HijackThis v1.99.1
Scan saved at 3:44:58 PM, on 1/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\antispyware\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/signin.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CCAAF6B-D937-404A-BF3A-7D919A1616CD}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

pskelley
2007-01-28, 15:03
Welcome to the forum, you have multiple problems not the least of which is that fact your computer is hijacked by Ukrainians, see this:
http://whois.domaintools.com/85.255.116.56

Your antivirus scan shows a lot of junk, shame they won't clean it for you free. I would like to check for Smitfraud (spysheriff) and we will try to address the other issues a bit later.

Let's proceed like this:
Thanks to LonnyBJones and anyone else who helped with this fix.

1) Please download FixWareout from here:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(hold the report and log until you finish)

2) Dowload Smitfraudfix from this link, save it to your Desktop:

http://siri.geekstogo.com/SmitfraudFix.php <<< Tutorial & download

Follow ONLY these directions:
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{6CCAAF6B-D937-404A-BF3A-7D919A1616CD}: NameServer = 85.255.116.56,85.255.112.146
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.56 85.255.112.146

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.

6) You have ewido anti-malware on board and it is obsolete, follow these directions:
ewido anti-spyware 4.0 becomes AVG Anti-Spyware 7.5here: http://www.ewido.net/en/ to upgrade to the free trail version of AVG Anti-Spyware. Undate the program but DO NOT run it until I tell you to. We want to complete cleaning of Smitfraud prior to running this tool if it is present.

Restart the computer and post the report from FixWareout, the report from Smitfraudfix and a new HJT log. Post any comments you think will help.

Thanks

healing41
2007-01-29, 00:27
Logfile of HijackThis v1.99.1
Scan saved at 2:18:03 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\antispyware\hijackthis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/signin.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

healing41
2007-01-29, 00:29
should i run it again
i can't upload the report i didn't save it i guess before rebooting. duh1

healing41
2007-01-29, 00:51
SmitFraudFix v2.137

Scan done at 13:18:09.21, Sun 01/28/2007
Run from C:\Documents and Settings\tek\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\q*_disk.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\trf32.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\tek


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\tek\Application Data

C:\Documents and Settings\tek\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\tek\STARTM~1\Programs\DirectVideo FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\tek\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\DirectVideo\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"

[HKEY_CLASSES_ROOT\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}"="OLE Module"

[HKEY_CLASSES_ROOT\CLSID\{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}\InProcServer32]
@="C:\WINDOWS\System32\trf32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}\InProcServer32]
@="C:\WINDOWS\System32\trf32.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-01-29, 00:55
I apologize, I assumed because you posted the two scans required in the
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288
That you had read the directions:

Please do not attach infected files!
If a helper requests files they will give you a link to upload them.

All logs should be copy/pasted into topic and not attached unless requested by helper in that format

Thank you for your understanding. .

I need to see the report from Fixwareout, often there are files that must be removed manually. Run it again, and read the directions carefully. Post all log and reports using the Copy and Paste method, do not attach logs unless I request them that way.

Thanks

pskelley
2007-01-29, 01:06
Where did you pick up all of this junk? The Smitfraudfix "Search" shows the infection, follow these directions:

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional: To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the Fixwareout report, the Report.txt from Smitfraudfix "Clean" function and a new HJT log. Let me have time to look at that information.

Thanks

healing41
2007-01-29, 01:06
Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal

pskelley
2007-01-29, 01:12
Thanks...Fixwareout looks like it totally removed the infection, "Clean" with Smitfraudfix and send that report, then you can run AVG Anti-Spyware and post those results. Make sure you reboot after you run the program and then create and post what should be the last HJT log. How is the computer running, some improvement?

Thanks...Phil

healing41
2007-01-29, 01:36
this is not my computer

it's the one i can use after five years of battle hardening it and then my ssob friend comes and restore defaults to internet options after i had it nice. sorry to you and thank you for all your help i am not able to afford my own computer

Yes there is a lot and he blames me

One file that came as report/file/report
can't fit

sorry i interrupted you pskelly

should i start atthe first new instruction ar the second?

I am a senior calibration technician and i know how frustrating these flubs (by me) can be and i am sorry

pskelley
2007-01-29, 01:58
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial
Follow these directions:

Clean: Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional: To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\Report.txt and wait for the next instructions.

Thanks

healing41
2007-01-29, 02:11
SmitFraudFix v2.137

Scan done at 16:04:34.26, Sun 01/28/2007
Run from C:\Documents and Settings\tek\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"

[HKEY_CLASSES_ROOT\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}"="OLE Module"

[HKEY_CLASSES_ROOT\CLSID\{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}\InProcServer32]
@="C:\WINDOWS\System32\trf32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{0BC9BC01-54D4-4CCE-2B7D-955164314CD4}\InProcServer32]
@="C:\WINDOWS\System32\trf32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\q*_disk.dll Deleted
C:\WINDOWS\system32\trf32.dll Deleted
C:\Documents and Settings\tek\Application Data\Install.dat Deleted
C:\DOCUME~1\tek\STARTM~1\Programs\DirectVideo Deleted
C:\Program Files\DirectVideo\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"

[HKEY_CLASSES_ROOT\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-01-29, 02:26
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

Scan done at 16:04:34.26, Sun 01/28/2007
Run from C:\Documents and Settings\tek\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Please either follow the directions or let me know why you could not.

Earlier I posted these instruction, I will post them again to be sure they are followed:

6) You have ewido anti-malware on board and it is obsolete, follow these directions:
ewido anti-spyware 4.0 becomes AVG Anti-Spyware 7.5 here: http://www.ewido.net/en/ to upgrade to the free trail version of AVG Anti-Spyware.

Please run AVG Anti-Spyware now, make sure you delete or at least quarantine anything located, here is a tutorial if it helps:
http://forums.security-central.us/showthread.php?t=3165
Save the scan report, I must see it.

Restart the computer and post the AVG Anti-Spyware Scan report and a new HJT log. Tell me how the computer is running now.

Thanks

healing41
2007-01-29, 04:13
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:10:21 PM 1/28/2007

+ Scan result:



C:\WINDOWS\system32\thn.dll -> Trojan.Thun.B : No action taken.
C:\WINDOWS\system32\thun.dll -> Trojan.Thun.B : No action taken.


::Report end

healing41
2007-01-29, 04:51
SmitFraudFix v2.137

Scan done at 18:33:42.10, Sun 01/28/2007
Run from C:\Documents and Settings\tek\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"

[HKEY_CLASSES_ROOT\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}"="DDE Module"

[HKEY_CLASSES_ROOT\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{DABB23E9-AC0D-3740-E3E5-4B37C80837E5}\InProcServer32]
@="C:\WINDOWS\System32\wirl.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

healing41
2007-01-29, 05:02
Logfile of HijackThis v1.99.1
Scan saved at 6:59:12 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\antispyware\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

healing41
2007-01-29, 06:50
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:41:00 PM 1/28/2007

+ Scan result:



Nothing found.



::Report end

healing41
2007-01-29, 06:54
Logfile of HijackThis v1.99.1
Scan saved at 8:50:38 PM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\antispyware\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = actsvr.comcastonline.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

healing41
2007-01-29, 07:36
the real problems seem to come when i'm 20 levels deep in eye candy before but now it seems the pictures are even brighter and come up faster.

pskelley
2007-01-29, 11:47
the real problems seem to come when i'm 20 levels deep in eye candy before but now it seems the pictures are even brighter and come up faster.Not sure what you are saying here? and have your malware problems cleared up?

All reports look to be clean of malware, I suggest you do this now:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

healing41
2007-01-30, 01:34
do i need all three of these java updates my warning label says i need to free up space on my c drive.

also can you point me to a place that will tell me how to move things (and what) to my d drive?

healing41
2007-01-30, 01:38
Also do I need 519 MB for system restore point the comp is used mainly for surfing and resumes

pskelley
2007-01-30, 02:45
You only need the newest Java update, all of the rest can be uninstalled, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2


Why don't you post an uninstall list, let me see if I can spot anything not needed on the computer:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.


Open MyComputer and point your mouse at Local Disk C and right click then choose Properties.
On the General Tab, tell me how much Used Space and how much Free Space you have on C

If you are really this tight for space, I suggest you uninstall AVG Anti-Spyware to save the space, make sure you do the maintenance suggested in the link I provided, and you may want to use this Windows program to clean instead of installing one: http://spyware-free.us/tutorials/cleanmgr/

Have you thought about installing a bigger Hard Drive?
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=how+to+install+a+hard+drive

Thanks

healing41
2007-01-30, 07:06
Ad-Aware SE Personal
Adobe Acrobat 5.0
AVG Anti-Spyware 7.5
Comcast High-Speed Internet Install Wizard
FileAlyzer 1.4
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
J2SE Runtime Environment 5.0 Update 10
LiveUpdate 1.7 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
Unlocker 1.8.3
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 2
WinZip

healing41
2007-01-30, 07:10
286M free

4.22G Used

pskelley
2007-01-30, 13:24
Thanks for the information, let me first say your issue with space is a very serious one. You probably don't even have enough space to download critical updates safely. You need to consider this, and either add another hard drive, or take a serious look at what you have installed and start moving stuff to other media, like external dirves, CD's, online storage. I will do my best to advice you even though this is out of my areas, but programs like WindowsMediaPlayer 11, should never have been downloaded if you had,,,say WMP10 which worked well and needed less drive space. Well, water over the dam, let's see what you can probably do without as far as installed programs. I will suggest only, all decisions are your, but you need to get about making some as soon as possible.

Ad-Aware SE Personal: A good program, it would save you 2.72MB. Perhaps you could install it again once you figure how to get more drive space.

Adobe Acrobat 5.0: (8.83MB) This is an old version, it's up to 7.0 now I believe, you could uninstall it but you will not be able to open and view .pdf files/documents without it.

AVG Anti-Spyware 7.5: I suggest you uninstall this, once the trial is over it affords no benefits as far as realtime protection: 6.17 MB

FileAlyzer 1.4 I can't spot a size, but you can probably do with out freeware.

Unlocker 1.8.3: outdated, I am not sure of the size or why you use it.

WinZip: 7.35MB Not sure why you use this, WinXp opens .zip files. If it was free you may want to uninstall it?

Saving of 24.07MB, not a whole lot.

I see this and wonder what it means?
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11

It looks like it was installed twice unless it is a glitch of some kind. You may want to look to see if you can tell if there are duplicate programs in C:\Program Files\ which I would assume is the default for WMP unless you installed it elsewhere?
WMP11 uses 24.56MB

Hope this helps...

healing41
2007-01-30, 19:20
the other labeled d: newvolume that is practically empty.I didin't mean to ignore your question about 20 levels deep it's when explorer says the are 20 little bars on the bottomm tool bar alll in a row in addition to the one i'm currently looking at. I wish to know how to Physically move things to the d:/new volume drive there are already parts of windows componants on it like
I386, Fonts backup ...

pskelley
2007-01-30, 19:52
http://www.pcguide.com/vb/showthread.php?t=51825
http://groups.google.com/groups?q=move+file+from+C:%5C+to+D:%5C&hl=en&sa=X&oi=groups&ct=title

ask Google: http://www.google.com/ these questions.

tashi
2007-02-06, 17:58
Glad we could help, as the malware problem appears to be resolved, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.